Quantifying Key Characteristics of 71 Data Protection Laws Nieuwesteeg Bernold This paper presents a pioneering study that unlocks six characteristics in the literal text of 71 Data Protection Laws (DPLs). The characteristics are: the type of collection requirements; the presence of data protection authorities; data protection officers; data breach notification laws; monetary-; and criminal penalties. The quantification allows comparison of data protection laws with each other, such as a potential federal U.S. DPL with European DPLs. It can also be used for empirical legal research in information security by linking the data to other variables, for instance, deep packet inspection. There are some noteworthy initial results: only 5 out of 71 DPLs have penalties for non-compliance that exceed 1 million euro. Moreover, compared to the United States (US), few countries (21 out of 71) have data breach notification laws. Principal component analysis reveals that the six characteristics can be grouped in two unobserved factors, which explain ‘basic characteristics’ across laws and ‘add-ons’ to these characteristics. By combining these two factors a privacy index is constructed. Moreover, countries that are not known for their stringent privacy control such as Mauritius and Mexico occupy a top position in this index. Member States of the European Union have DPLs with a privacy control score above average but hold no absolute top position. It is hoped that these findings will open avenues for new research, such as adding more characteristics to the database and further quantification of (internet) law. Data Protection Laws comparative law empirical legal analysis privacy control quantitative text analysis 340 periodical academic journal JIPITEC 7 3 2017 182 203 2190-3387 urn:nbn:de:0009-29-45103 http://nbn-resolving.de/urn:nbn:de:0009-29-45103 nieuwesteeg2017